diff --git a/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.json b/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.json new file mode 100644 index 00000000..e7ef9a92 --- /dev/null +++ b/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.json @@ -0,0 +1,70 @@ +{ + "name": "7c90f6d1-f79a-4c1c-b44a-4a655d4774f0", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL flexible servers - Disable local administrator login", + "description": "PostgreSQL flexible servers supports local administrator login", + "metadata": { + "version": "1.0.0", + "category": "PostgreSql" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLogin", + "exists": "true" + }, + { + "value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLogin)", + "notEquals": "true" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword", + "exists": "true" + }, + { + "value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword)", + "notEquals": "true" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.parameters.json b/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.parameters.json new file mode 100644 index 00000000..a22951fa --- /dev/null +++ b/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.rules.json b/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.rules.json new file mode 100644 index 00000000..887f8042 --- /dev/null +++ b/policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.rules.json @@ -0,0 +1,41 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLogin", + "exists": "true" + }, + { + "value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLogin)", + "notEquals": "true" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword", + "exists": "true" + }, + { + "value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword)", + "notEquals": "true" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/deny-postgresql-passwordauth/azurepolicy.json b/policyDefinitions/PostgreSql/deny-postgresql-passwordauth/azurepolicy.json index 0419782a..7cd27906 100644 --- a/policyDefinitions/PostgreSql/deny-postgresql-passwordauth/azurepolicy.json +++ b/policyDefinitions/PostgreSql/deny-postgresql-passwordauth/azurepolicy.json @@ -2,68 +2,69 @@ "name": "7c90f6d1-f79a-4c1c-b44a-4a655d4774f0", "type": "Microsoft.Authorization/policyDefinitions", "properties": { - "displayName": "PostgreSQL database servers - Disable Password Authentication", - "description": "Azure Database for PostgreSQL supports password based authentication, This policy will block the use of the local postgreSQL administrator account", + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL flexible servers - Disable Password Authentication", + "description": "PostgreSQL flexible servers supports password based authentication", "metadata": { - "version": "1.0.0", - "category": "PostgreSql" + "version": "1.0.0", + "category": "PostgreSql" }, - "mode": "Indexed", "parameters": { - "effect": { - "type": "String", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" } + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.DBforPostgreSQL/flexibleServers" - }, - { - "anyOf": [ - { - "allOf": [ - { - "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled", - "notEquals": "false" - }, - { - "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled", - "exists": "true" - } - ] - }, - { - "allOf": [ - { - "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth", - "notEquals": "Disabled" - }, - { - "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth", - "exists": "true" - } - ] - } - ] - } + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled", + "notEquals": "false" + }, + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled", + "exists": "true" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth", + "notEquals": "Disabled" + }, + { + "field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth", + "exists": "true" + } + ] + } ] - }, - "then": { - "effect": "[parameters('effect')]" - } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } } - } + } } \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.json b/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.json index ee80c218..96e0d289 100644 --- a/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.json +++ b/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.json @@ -2,13 +2,14 @@ "name": "d78f353a-a5e7-4747-8d31-62f361bafac5", "type": "Microsoft.Authorization/policyDefinitions", "properties": { - "displayName": "PostgreSQL database servers - Allow certain version(s)", - "description": "Azure Database for PostgreSQL supports multiple Postgres version(s), This policy will only allow set version(s).", + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL flexible servers - Allow certain version(s)", + "description": "PostgreSQL flexible servers supports multiple Postgres version(s), This policy will only allow set version(s).", "metadata": { "version": "1.0.0", "category": "PostgreSql" }, - "mode": "Indexed", "parameters": { "effect": { "type": "String", @@ -26,7 +27,6 @@ "allowedVersions": { "type": "array", "defaultValue": [ - "15", "16", "17" ], @@ -45,7 +45,7 @@ }, { "value": "[contains(parameters('allowedVersions'),field('Microsoft.DBForPostgreSql/flexibleServers/version'))]", - "notEquals": "true" + "equals": "false" } ] }, diff --git a/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.parameters.json b/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.parameters.json index 2343e0a1..1f876d9f 100644 --- a/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.parameters.json +++ b/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.parameters.json @@ -15,7 +15,6 @@ "allowedVersions": { "type": "array", "defaultValue": [ - "15", "16", "17" ], diff --git a/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.rules.json b/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.rules.json index f88edfbe..60c60dbc 100644 --- a/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.rules.json +++ b/policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.rules.json @@ -7,7 +7,7 @@ }, { "value": "[contains(parameters('allowedVersions'),field('Microsoft.DBForPostgreSql/flexibleServers/version'))]", - "notEquals": "true" + "equals": "false" } ] }, diff --git a/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.json b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.json new file mode 100644 index 00000000..640c4db9 --- /dev/null +++ b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.json @@ -0,0 +1,57 @@ +{ + "name": "d78f353a-a5e7-4747-8d31-62f361bafac5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "PostgreSQL flexible servers administrator - Enforce a naming convention to be used for Administrator groups", + "description": "PostgreSQL flexible servers supports Entra ID Security groups to be PostgreSQL Administrator, This policy will only allow groups following a certain naming convention to be allowed as Administrator.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSql" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "namePattern": { + "type": "string", + "metadata": { + "displayName": "Naming pattern to enforce", + "description": "Allowed Entra ID Security group name pattern to enforce, for example Admin_* will enforce that the group starts with Admin_" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers/administrators" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalType", + "equals": "Group" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalName", + "notLike": "[parameters('namePattern')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.parameters.json b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.parameters.json new file mode 100644 index 00000000..6b842367 --- /dev/null +++ b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.parameters.json @@ -0,0 +1,22 @@ +{ + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "namePattern": { + "type": "string", + "metadata": { + "displayName": "Naming pattern to enforce", + "description": "Allowed Entra ID Security group name pattern to enforce, for example Admin_* will enforce that the group starts with Admin_" + } + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.rules.json b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.rules.json new file mode 100644 index 00000000..55b63246 --- /dev/null +++ b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.rules.json @@ -0,0 +1,21 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers/administrators" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalType", + "equals": "Group" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalName", + "notLike": "[parameters('namePattern')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.json b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.json new file mode 100644 index 00000000..5484ed7d --- /dev/null +++ b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.json @@ -0,0 +1,56 @@ +{ + "name": "d78f353a-a5e7-4747-8d31-62f361bafac5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "PostgreSQL flexible servers administrator - Enforce only specific administrator principal types", + "description": "PostgreSQL flexible servers supports different principal types to be Administrator, allowed values; Group, ServicePrincipal, Unknown, User", + "metadata": { + "version": "1.0.0", + "category": "PostgreSql" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedTypes": { + "type": "Array", + "defaultValue": [ + "Group" + ], + "metadata": { + "displayName": "Allowed Administrator Prinicpal Types.", + "description": "Valid values are; Group, ServicePrincipal, Unknown, User - https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/flexibleservers/administrators?pivots=deployment-language-bicep#administratorpropertiesforaddoradministratorproperties" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers/administrators" + }, + { + "value": "[contains(parameters('allowedTypes'),field('Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalType'))]", + "notEquals": "true" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.parameters.json b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.parameters.json new file mode 100644 index 00000000..2bf9f4eb --- /dev/null +++ b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.parameters.json @@ -0,0 +1,25 @@ +{ + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedTypes": { + "type": "Array", + "defaultValue": [ + "Group" + ], + "metadata": { + "displayName": "Allowed Administrator Prinicpal Types.", + "description": "Valid values are; Group, ServicePrincipal, Unknown, User - https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/flexibleservers/administrators?pivots=deployment-language-bicep#administratorpropertiesforaddoradministratorproperties" + } + } +} \ No newline at end of file diff --git a/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.rules.json b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.rules.json new file mode 100644 index 00000000..7ed91fa6 --- /dev/null +++ b/policyDefinitions/PostgreSql/enforce-postgresql-administrator-principal-types/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers/administrators" + }, + { + "value": "[contains(parameters('allowedTypes'),field('Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalType'))]", + "notEquals": "true" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} \ No newline at end of file